Race condition attack unveiled
The security protections offered by Google’s reCAPTCHA technology can be partially bypassed by using Turbo Intruder, a research-focused Burp Suite extension, to trigger a race condition.
The security weakness was discovered by James Kettle, director of research at PortSwigger Web Security, and reported to Google eight months ago. Google declined to fix the vulnerability, “leaving the patching burden on individual websites,” according to Kettle.
Kettle went public with his research on the security shortcomings of Google reCAPTCHA, alongside suggested remediations, on Wednesday.
His write-up uses reCAPTCHA-protected signups to Reddit in order to illustrate a far more widespread problem. The attack was tested against Google reCaptcha v3, the latest version of the technology.
Race condition
The security researcher first came across the issue when carrying out a security audit of PortSwigger’s self-registration feature, which is protected with reCAPTCHA.
Kettle discovered that a valid reCAPTCHA solution can be used multiple times, instead of only once, providing requests are all submitted within a short time window measurable in milliseconds.
“This is particularly surprising thanks to the design of reCAPTCHA, where users don't directly connect to the server that validates the solution token,” Kettle explains in a write-up of his research.
“When you perform this attack, you’re actually forcing the target website to trigger the race condition on your behalf.”
After discovered the vulnerability, PortSwigger researchers and developers teamed up to develop a workaround to block potential attacks before notifying Google about the issue, together with a proof of concept.
Disclosure
Despite working successfully with Google on previous security disclosures, Kettle struggled to get his point heard in this case – even after producing a amp-video-based demonstration of the attack, fulfilling Google’s request on this point.
Kettle restated that he’d found the vulnerability on a live website. Despite this, Google concluded that the attack presented no credible real-world threat due to latency and other issues.
Having given Google ample opportunity to respond, but without getting it to patch the issue, Kettle decided to go public about the “moderate severity” flaw.
The vulnerability potentially affects any website using reCAPTCHA, but Kettle chose Reddit as an example since it’s a well-known target for spammers, and the account-registration process is reCAPTCHA-protected.
I am not an Intruder
Turbo Intruder uses a custom HTTP stack that permits users to queue up a series of partially completed web requests before sending the last byte of every request. This helps to get multiple requests from the same source processed within a very short time window.
By using Turbo Intruder against Reddit’s reCAPTCHA, it was possible to triple the number of spam-ready accounts registered for each solved captcha challenge, as demonstrated by a amp-video put together by Kettle.
The same technique might be used on other sites to interfere with online voting or the posting of reviews.
“Hopefully this post will help persuade someone at Google that this attack is actually plausible, and should be fixed,” Kettle concludes in a technical blog post.
“Till then, if you’re using reCAPTCHA, you’ll need to manually secure it by locking/synchronizing on the g-recaptcha-response token. Depending on your own application architecture this may be impossible, and you'll have to wait for Google to fix it.”
The research has sparked a lively discussion on Reddit, target of Kettle’s proof of concept attack.
Some in the thread suggested that Google reCaptcha can be even more comprehensively defeated by bots downloading an amp-audio version of the technology and using Google's own speech to text APIs (or others) to solve it.
This is accomplished in practice using tools such as unCaptcha2, which has been available since April 2017 and defeats the protections offered by Google reCaptcha v2, as previously reported.
Google latest version, reCaptcha v3, is more resistant to such amp-audio trickery but still vulnerable by default to the race condition attack demonstrated by Kettle.
RELATED New tool highlights shortcomings in reCAPTCHA’s anti-bot engine